[Bug 530] New: loading nf_nat verision of the iptable_nat module kills existing connections

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Tue Jan 9 14:32:38 CET 2007


           Summary: loading nf_nat verision of the iptable_nat module kills
                    existing connections
           Product: netfilter/iptables
           Version: linux-2.6.x
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: nf_conntrack
        AssignedTo: yasuyuki.kozakai at toshiba.co.jp
        ReportedBy: phelps at gnusto.com

I'm trying to use the new netfilter nf_nat code in linux-2.6.20-rc3 
and running into a minor issue: when I load the iptable_nat module, all 
existing connections stop working, as if the packets are being dropped. 
This is somewhat irritating since the root partition of the machine in 
question is mounted via NFS and, or course, that stops working. 
I've poked around a bit and this section of nf_net_standalone.c appears to 
be the culprit: 
    120:        /* Don't try to NAT if this packet is not conntracked */ 
    121:        if (ct == &nf_conntrack_untracked) 
    122:                return NF_ACCEPT; 
    124:        nat = nfct_nat(ct); 
->  125:        if (!nat) 
->  126:                return NF_DROP; 
If I read this correctly, packets for connections which aren't tracked 
at all are accepted, but packets for connections which are being tracked 
don't have NAT information are dropped. 
Is there any reason why line 126 shouldn't return NF_ACCEPT? 

Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the netfilter-buglog mailing list